@@ -1,3 +1,8 @@

+Tue Jul 10 22:02:15 CEST 2007 (tk)

+----------------------------------

+  * libclamav/unrar/unrarvm.c: fix possible crash with corrupted archives (bb#555)

+			       Reported by Metaeye SG, patch from Trog

+

 Sun Jul  8 17:25:04 CEST 2007 (acab)

 ------------------------------------

   * misc: Implement compiler indepenedent sign-extended signed right shift

@@ -1650,7 +1650,7 @@ int cli_unrar_extract_next(rar_state_t* state,const char* dirname)

 			cli_dbgmsg("Computed File CRC: 0x%x\n", state->unpack_data->unp_crc^0xffffffff);

 			if (state->unpack_data->unp_crc != 0xffffffff) {

 				if (state->file_header->file_crc != (state->unpack_data->unp_crc^0xffffffff)) {

-					cli_warnmsg("RAR CRC error. Please report the bug at http://bugs.clamav.net/\n");

+					cli_warnmsg("RAR CRC error. If the file is not corrupted, please report at http://bugs.clamav.net/\n");

 				}

 			}

 			if (!retval) {

@@ -347,18 +347,18 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil

 	unsigned int file_offset, cur_pos, predicted;

 	int32_t offset, addr;

 	const int file_size=0x1000000;

-	

+

 	switch(filter_type) {

 	case VMSF_E8:

 	case VMSF_E8E9:

 		data=rarvm_data->mem;

 		data_size = rarvm_data->R[4];

 		file_offset = rarvm_data->R[6];

-		

-		if (data_size >= VM_GLOBALMEMADDR) {

+

+		if ((data_size >= VM_GLOBALMEMADDR) || (data_size < 4)) {

 			break;

 		}

-		

+

 		cmp_byte2 = filter_type==VMSF_E8E9 ? 0xe9:0xe8;

 		for (cur_pos = 0 ; cur_pos < data_size-4 ; ) {

 			cur_byte = *(data++);